如何用windbg断在驱动入口和派遣函数
很多时候,通过修改驱动文件(函数头设字节0xCC)有可能通不过校验,而且还有繁琐的拷贝过程断入口自然在加载的时候断:
bp nt!MmLoadSystemImage "du poi(poi(esp+4)+4);r@$t1=poi(esp+0x18);gu;bp poi(@$t1)+poi(poi(@$t1)+poi(poi(@$t1)+0x3c)+0x28)"
断派遣函数:
通过pchunter找到DriverObject地址
dt -b _DRIVER_OBJECT 0x821bb320;dds 0x821bb320+0x38
选择DriverInit、DriverStartIo、DriverUnload和MajorFunction下断
kd> dt _DRIVER_OBJECT 0x821bb320
ntdll!_DRIVER_OBJECT
+0x000 Type : 0n4
+0x002 Size : 0n168
+0x004 DeviceObject : 0x821e4d40 _DEVICE_OBJECT
+0x008 Flags : 0x12
+0x00c DriverStart : 0xf853d000 Void
+0x010 DriverSize : 0x1ca00
+0x014 DriverSection : 0x821fc048 Void
+0x018 DriverExtension: 0x821bb3c8 _DRIVER_EXTENSION
+0x01c DriverName : _UNICODE_STRING "\Driver\TsFltMgr"
+0x024 HardwareDatabase : 0x80671ae0 _UNICODE_STRING "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
+0x028 FastIoDispatch : (null)
+0x02c DriverInit : 0xf85572a0 long+0
+0x030 DriverStartIo : (null)
+0x034 DriverUnload : (null)
+0x038 MajorFunction : 0xf8557240 long+0
kd> dt -b _DRIVER_OBJECT 0x821bb320
ntdll!_DRIVER_OBJECT
+0x000 Type : 0n4
+0x002 Size : 0n168
+0x004 DeviceObject : 0x821e4d40
+0x008 Flags : 0x12
+0x00c DriverStart : 0xf853d000
+0x010 DriverSize : 0x1ca00
+0x014 DriverSection : 0x821fc048
+0x018 DriverExtension: 0x821bb3c8
+0x01c DriverName : _UNICODE_STRING "\Driver\TsFltMgr"
+0x000 Length : 0x20
+0x002 MaximumLength : 0x20
+0x004 Buffer : 0xe13f0358"\Driver\TsFltMgr"
+0x024 HardwareDatabase : 0x80671ae0
+0x028 FastIoDispatch : (null)
+0x02c DriverInit : 0xf85572a0
+0x030 DriverStartIo : (null)
+0x034 DriverUnload : (null)
+0x038 MajorFunction :
0xf8557240
0x804f454a
0xf8557240
0x804f454a
0x804f454a
0x804f454a
0x804f454a
0x804f454a
0x804f454a
0x804f454a
0x804f454a
0x804f454a
0x804f454a
0x804f454a
0xf8557260
0x804f454a
0xf853d530
0x804f454a
0x804f454a
0x804f454a
0x804f454a
0x804f454a
0x804f454a
0x804f454a
0x804f454a
0x804f454a
0x804f454a
0x804f454a
kd> dds 0x821bb320+0x38
821bb358f8557240 TsFltMgr+0x1a240
821bb35c804f454a nt!IopInvalidDeviceRequest
821bb360f8557240 TsFltMgr+0x1a240
821bb364804f454a nt!IopInvalidDeviceRequest
821bb368804f454a nt!IopInvalidDeviceRequest
821bb36c804f454a nt!IopInvalidDeviceRequest
821bb370804f454a nt!IopInvalidDeviceRequest
821bb374804f454a nt!IopInvalidDeviceRequest
821bb378804f454a nt!IopInvalidDeviceRequest
821bb37c804f454a nt!IopInvalidDeviceRequest
821bb380804f454a nt!IopInvalidDeviceRequest
821bb384804f454a nt!IopInvalidDeviceRequest
821bb388804f454a nt!IopInvalidDeviceRequest
821bb38c804f454a nt!IopInvalidDeviceRequest
821bb390f8557260 TsFltMgr+0x1a260
821bb394804f454a nt!IopInvalidDeviceRequest
821bb398f853d530 TsFltMgr+0x530
821bb39c804f454a nt!IopInvalidDeviceRequest
821bb3a0804f454a nt!IopInvalidDeviceRequest
821bb3a4804f454a nt!IopInvalidDeviceRequest
821bb3a8804f454a nt!IopInvalidDeviceRequest
821bb3ac804f454a nt!IopInvalidDeviceRequest
821bb3b0804f454a nt!IopInvalidDeviceRequest
821bb3b4804f454a nt!IopInvalidDeviceRequest
821bb3b8804f454a nt!IopInvalidDeviceRequest
821bb3bc804f454a nt!IopInvalidDeviceRequest
821bb3c0804f454a nt!IopInvalidDeviceRequest
821bb3c4804f454a nt!IopInvalidDeviceRequest
821bb3c8821bb320
821bb3cc00000000
821bb3d000000001
821bb3d400120010
页:
[1]